PRIVACY Forum Digest Monday, 11 March 1996 Volume 05 : Issue 06 Moderated by Lauren Weinstein (lauren@vortex.com) Vortex Technology, Woodland Hills, CA, U.S.A. ===== PRIVACY FORUM ===== ------------------------------------------------------------------- The PRIVACY Forum is supported in part by the ACM (Association for Computing Machinery) Committee on Computers and Public Policy, "internetMCI" (a service of the Data Services Division of MCI Telecommunications Corporation), and Cisco Systems, Inc. - - - These organizations do not operate or control the PRIVACY Forum in any manner, and their support does not imply agreement on their part with nor responsibility for any materials posted on or related to the PRIVACY Forum. ------------------------------------------------------------------- CONTENTS Flying the friendly skies anonymously (Wulf Losee) Taping Conversations (Daniel L. Hawes) AT&T reverses itself (Joseph S. Fulda) Re: AT&T and other phone access accounts (Chris Hibbert) Medical records in Maryland (Keep InforM.D.) New web page and risks to personal information (Joseph Richardson) Garage Door Openers (Carl Minie) A far-reaching privacy bill (Beth Givens) EPIC on Crypto Bill (David Sobel) *** Please include a RELEVANT "Subject:" line on all submissions! *** *** Submissions without them may be ignored! *** ----------------------------------------------------------------------------- The Internet PRIVACY Forum is a moderated digest for the discussion and analysis of issues relating to the general topic of privacy (both personal and collective) in the "information age" of the 1990's and beyond. The moderator will choose submissions for inclusion based on their relevance and content. Submissions will not be routinely acknowledged. All submissions should be addressed to "privacy@vortex.com" and must have RELEVANT "Subject:" lines; submissions without appropriate and relevant "Subject:" lines may be ignored. Excessive "signatures" on submissions are subject to editing. Subscriptions are by an automatic "listserv" system; for subscription information, please send a message consisting of the word "help" (quotes not included) in the BODY of a message to: "privacy-request@vortex.com". Mailing list problems should be reported to "list-maint@vortex.com". All messages included in this digest represent the views of their individual authors and all messages submitted must be appropriate to be distributable without limitations. The PRIVACY Forum archive, including all issues of the digest and all related materials, is available via anonymous FTP from site "ftp.vortex.com", in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and enter your e-mail address as the password. The typical "README" and "INDEX" files are available to guide you through the files available for FTP access. PRIVACY Forum materials may also be obtained automatically via e-mail through the listserv system. Please follow the instructions above for getting the listserv "help" information, which includes details regarding the "index" and "get" listserv commands, which are used to access the PRIVACY Forum archive. All PRIVACY Forum materials are available through the Internet Gopher system via a gopher server on site "gopher.vortex.com". Access to PRIVACY Forum materials is also available through the Internet World Wide Web (WWW) via the Vortex Technology WWW server at the URL: "http://www.vortex.com"; full keyword searching of all PRIVACY Forum files is available via WWW access. ----------------------------------------------------------------------------- VOLUME 05, ISSUE 06 Quote for the day: Pinky: "What are we going to do tomorrow night, Brain?" Brain: "The same thing we do every night, Pinky. Try to take over the world!" -- Rob Paulsen and Maurice LaMarche "Pinky & The Brain" (1995- ) ---------------------------------------------------------------------- Date: Sat, 24 Feb 1996 12:50:39 -0800 From: Wulf Losee Subject: Flying the friendly skies anonymously Recently, when taking a business flight from LA to San Francisco, I encountered a new an obnoxious "security" requirement that the FAA has imposed. I was asked to show a photo ID when checking my luggage at the ticket counter. Normally I do not carry my driver's license with me when I fly to cities with good public transportation systems (unless I'm going to rent a car). I've found that it's too easy to lose important documents (such as a driver's license) in the hustle-and-bustle of traveling. When the United Airlines check-in clerk asked me for a photo ID, ironically, I was able to produce my license which, this time, I had forgotten to leave safely at home. I asked the counter clerk what would have happened if I didn't produce a photo ID -- would they have not let me on the plane? She looked troubled (as if that situation had never come up before?), and replied that my luggage might be subjected to extra scrutiny and that I might be "monitored". I asked her why they are doing these ID checks, and she replied that it has been FAA policy since the Unabomber threat against LAX. Having had a security background, I was also interested in how United (and their FAA masters) would handle a passive challenge to their photo ID regulation on my flight back from San Francisco. Being the subversive and stubborn individual that I am, I was prepared to go as far as missing my flight to see what their response would be. When I checked my luggage, the clerk asked me for a photo ID, and I said I had none. She said: "You *must* have a photo ID!" I said: "sorry, no one notified me that I had to bring a photo ID with me to fly". She left her booth to get assistance. An audible groan went up with the people trapped in line behind me. The woman directly behind me started to harangue me -- "Everybody knows you have to bring an ID with you fly now!" I'm afraid I told her she was full of something -- something that the CDA won't allow me to mention over the Internet. A harried supervisor returned and expressed his amazement that I didn't have a photo ID. I replied that I didn't know we had become a police state where we had to prove who we were every time we travel. "Well, it's FAA policy," he replied. I said that they were welcome to search me and my luggage to see that I was carrying nothing dangerous or illegal. He took me out of line at that point. He started calling *his* supervisor, pleading what to do. "Well, do you have *any* ID? Any ID at all?" he asked. I produced a credit card (not one of those cards with photos on them). He sighed in relief (but he didn't even check my name against the name on the ticket) and let me proceed through. Upon arrival at LAX, I could detect no signs that my checked luggage had been searched. It occurs to me that the days when one could anonymously purchase a ticket with cash are over. Being able to travel anonymously in the US (at least by air) is no longer a real possibility (unless one has access to counterfeit IDs). It seems likely that airports will soon become, if they are not already, a point where the government actively tracks the movements of its citizens (for their own good, of course!). Likewise, I was surprised at how poorly airline security responded to my ploy of claiming not to have a photo ID. I suspect that my ploy will not be possible in the near future, as the airlines and FAA develop ways to tighten up on security. Any comments from my fellow Privacy readers? Thanks, Wulf I do not speak for my employer, and my employer does not speak for me. [ The airport system operates on the basis of various "alert" levels. In the wake of terrorist activity anywhere in the world, these levels may be raised here in the U.S., and afterwards may not rapidly fall to their original levels. Additionally, the standard of "normal" security is being gradually raised throughout the system. One of the most serious of these security issues relates to checked baggage. The airlines need to try make sure that no baggage gets onto a plane that doesn't have an identifiable face to go with it. Are these measures overly intrusive? Probably not, given the scope of the potential problem. In some parts of the world the "normal" security standard is much higher, and definitely more intrusive. Are these measures guarantees against terrorist events? Of course not; a determined person who doesn't care about their own safety is nearly impossible to stop--as recent events again underscore. But in an imperfect world, it's all a matter of balance. -- MODERATOR ] ------------------------------ Date: 6 Mar 1996 11:43:26 EDT From: dlh@marsmedia.com (Dlh) Subject: Taping Conversations ==== In response to "CHARLES R TREW" ==== Subject: Taping Conversations, in reply to a query ==== regarding taping of teacher/parent interviews at a school ==== from David J. Coles ==== COLES SAID: I am a teacher in a large school system. Recently I had a conference with a very abusive parent. The tone and actions of this parent were very threatening to me. I feel I need some protection at future conferences. Is it legal for me to tape record future conferences with this parent? Is it legal to do so without his knowledge? Must I inform him in advance if I intend to tape the conference? If he refuses, may I still legally tape the conference? ==== TREW SAID: Any calls made to you at your home are fair game and, contrary to popular belief, you do not have to inform the other party you are recording. For most practical purposes most phone calls are fair game for either party on the line, restrictions are primarily against third parties listening in unbeknownst to the other two. As I said, though you are in a sensitive spot at the office. Finally, if you decide to tape your office, home, phone, etc. *never* indicate to your subject you are going to tape them. You will all but guarantee an unpleasant discussion. If it's legal, it's your business anyway. If you are unsure you can always play the tape for your lawyer and then make a determination. ==== COMMENTS BY DAN HAWES: While Federal law permits the recording of a private telephone conversation when any party to the conversation consents, there are a few states which have enacted laws with stricter standards, requiring the consent of all parties prior to the recording. Note that eavesdropping using any kind of device is prohibited to the same extent as is recording, with respect to private conversations. In addition, Virginia law, and probably the laws of some other states, imposes further restrictions upon the recording of telephone conversations as a matter of admissibility of evidence. Unless the conversation involves an admission of criminal wrongdoing or is in itself criminal in nature, the party recording the conversation must advise all other parties of the fact of the recording, and must state the identity of all parties to the conversation, the date and the time, at the beginning of the taped part of the conversation, or the tape will be inadmissible as evidence. Also, note that the proscription against the nonconsensual recording and eavesdropping only applies to private conversations, not all conversations. And in this context, the term, "private" means that the individual has a "reasonable expectation of privacy" as that phrase has been used by the U.S. Sup. Ct. in interpreting the "search and seizure" logic of the Fourth Amendment. This is because the laws prohibiting nonconsensual recording were enacted pursuant to the Federal Omnibus Crime Control and Safe Streets Act of 1968, and were intended to clarify the conditions under which law enforcement agencies could conduct surveillance on citizens. Finally, as to the suggestion that one tape first and ask the attorney later, I would advise the opposite. If the taping was criminal in nature, it will be illegal for the attorney to keep the tape, and it will be illegal to destroy the tape. While the attorney does not have to disclose the identity of the client, he will have to turn the tape over to the court as possible evidence, which may amount to the same thing. Also, some states require proof of a "willful" violation, as opposed to an "intentional" violation. The difference is that proof of acting on advice of counsel is a defense to a "willful" violation (proof of an "intentional" violation requires only a showing that the person made the recording - to which insanity and mental incompetence are the only defenses). Ask the attorney first. If in doubt, don't. Remember that the only "real" evidence is what a witness sworn to tell the truth will tell the court under oath. Documents, tapes, charts, etc. are only for the purpose of supporting testimony. Instead of taping, make contemporaneous hand-written notes of the conversation, identifying the date, time, person spoken with, and the relevant details of the conversation. You can refer to your contemporaneous notes in a trial to refresh your recollection of what was said. Also, there is federal case law to the effect that having another person listen in on an extension telephone is not "eavesdropping using a device"; this is permissible in most states. This is a complicated area of law. Get advice of counsel before using any kind of device to eavesdrop on, listen to, or record the private conversations of other people. Violations are generally punished as felonies. It isn't something to make mistakes about. Daniel L. Hawes, Attorney at Law (Virginia) Practice Limited to Civil Litigation. ------------------------------ Date: Sun, 25 Feb 1996 03:23:38 -0800 (PST) From: Joseph S Fulda Subject: AT&T reverses itself The AT&T Universal Card (both VISA and MASTERCARD) used to require a PIN for telephone access to billing information--one of the few card-issuers to so require. The password now is just one's zip code. I inquired as to why the change was effected and was told that AT&T's customers didn't like having to use a PIN! Reminds one, yet again, that the price of liberty is eternal vigilance. To AT&T's credit, however, the billing information now omits the credit line and available credit remaining. Joseph S Fulda, CSE, PhD Telephone: (212) 927-0662 701 West 177th Street, #21 New York, NY 10033 E-mail: kcla@csulb.edu [ In fact, reports indicate that quite a variety of information is indeed available via this system, virtually all of it of the sort that by all rights *should* be protected by a PIN. I'd urge persons carrying these cards to contact their customer service reps (the number is usually printed on the back of the cards) and make your feelings known about the ease with which your credit card information can be accessed without reasonable protections. Such complaints, if made by enough people, *can* have an impact. -- MODERATOR ] ------------------------------ Date: Sun, 25 Feb 96 11:24:10 -0800 From: Chris Hibbert Subject: Re: AT&T and other phone access accounts DPeretz@accessone.com wrote about AT&T's InfoExpress system which allows anyone to access someone else's account history without a password, and then use the information gained as evidence that they are the person who owns the account and change various options on the account. When DPeretz asked the account rep to turn off InfoExpress, s/he was informed that it wasn't possible. When I encounter this problem, the next request I make is that a password be added to my account, both for the phone access, and to make change orders. I haven't tried it in the case of a telephone company's services, but many other firms are quite willing to go along. I'm also please to report that the almost never let me add the password over the phone without detailed identifying information. Usually, they won't do it over the phone at all, and ask for a request in writing. I also have usually been able to get the company to include a prompt. The clerks don't always understand that, but I can usually get them to use it correctly. I think they're putting the prompt in a comment field, but it works. Sample dialogue: Me: This is Chris Hibbert. My account # is xxxx. I'd like to order yyy. Rep: One moment... I have your account here. It says I'm supposed to ask you for a password. Me: Oh right. Now which password was that? Is there a prompt there? What hint did I give? Rep: What do you mean? Oh, I see. It says I should ask you for a color. Me. Oh, of course. Then the password is "Olive drab." This way I can use a different password for each service, and I can make them obscure. I get a hint that'll help me, but presumably not an imposter. Chris [ Some firms will do this. Many won't. My experience is that this option is most often not available, and in somes cases where it *is* available the passwords are not uniformally required to get at the info (e.g. if you claim you forgot the password they might go ahead and give you the information anyway!) A poorly implemented password system, by giving an "illusion" of security, can be worse than no passwords at all. -- MODERATOR ] ------------------------------ Date: Mon, 26 Feb 1996 03:18:45 +0500 From: "Keep InforM.D." Subject: Medical records in Maryland In 1993, the Maryland legislature passed a sweeping health care reform bill known as HB 1359. This 81 page bill - signed by Governor Schaefer created (among other things) the Health Care Access and Cost Commission (HCACC) and charged them to create a database of ALL encounters with providers of care by patients. The following must be reported to A STATE AGENCY (HCACC) WITHOUT YOUR CONSENT !!! Taken from HCACC Notice of Proposed Action dated 06/23/95 (1)Patient ID (your insurance ID number encrypted) (2)Patient Date of Birth (3)Patient Sex (4)Patient Race (W,B,Asian or Pacific Islander,Native American, Other) (5)Patient ZIP Code (6)Patient Covered by Other Insurance (7)Coverage Type (Medigap,Individual,Self Insured,Employer Plan,Public Employee) (8) Delivery System Type (HMO,P(oint) O(f) S(ervice),PPO or other Managed Care, Indemnity) (9) Claim Related Condition (Non accident, Work, Auto accident, Other accident) (10) Practitioner Tax ID (11) Participating Provider Indicator (Yes, No, Not coded) (12) Claim Total Charge (13) Claim Allowed Charge (14)Reimbursement Amount (15) Patient Liability (Patient copay and/or deductibles) (16) Type of Bill (interim or final etc) (17) Claim Control Number (the internal control number used by insurers to track claims) (18) Claim Paid Date (19) Number of Diagnosis Codes (up to ten indicators of your illness) (20) Number of Line Items (up to 15 procedures) (21) Diagnosis Codes (see (19)) (22) Service From Date (beginning treatment date) (23) Service Thru date (ending date) (24)Type of Service (Phys, Pharmacy,Lab,Medical equipment, Surgery,Dental) (25) Place of Service (Inpatient, Outpatient hospital, Office, Surgicenter, Home, State or Local Clinic, Hospice,Intermediate Care Facility, Comprehensive Care Facility (26) Service Location Zip Code (27) Unit Indicator (Miles, Anesthesia,Visits, Oxygen Units, Blood Units) (28) The Number of Units in (27) (29) Procedure Code ( What Care was Provided) (30) & (31) Modifiers (32) Servicing Practice Identifier (33) Billed Charge (34) Amount Allowed also--- Collect appropriate information relating to prescription drugs for each type of patient encounter with a pharmacist ... Issue 1 You will not have the right to deny the state access to this information. Issue 2 Psychiatric patients, in an effort to protect themselves from outsiders gaining knowledge of their treatment, pay the bills themselves to avoid the insurance company making a record and their employer finding out they are in treatment. THEY WILL LOSE THAT PROTECTION!!! Issue 3 In 1996 and beyond, do you really want a governmental agency to have this access to your personal life ? Issue 4 This information MUST BE PUBLISHED BY LAW. With all of the 34 items above, it will be very easy to identify you. This information will be sold without restriction. Issue 5 Notice that RACE is a required element. Issue 6 Does the state need to know your prescriptions ? Lets suppose a pharmaceutical company buys the information (they do in Florida- I verified it!!) they could mail brochures to you on drugs THEY want you to take. Issue 7 Florida tracks only 80 surgical and medical codes. Why does the state need everything ? Issue 8 What could a divorce lawyer do with the information (custody battle, etc) Issue 9 What about patients who are HIV+ or have AIDS ? Issue 10 Most states (No. Carolina, Virginia, California, Utah, ) who have created a much more limited version have already sold or given the database to a PRIVATE CONCERN. So don't be lulled into thinking that the state will always have control. In the law - they are allowed to contract with ANY nonprofit entity that is not an insurer. WHAT CAN YOU DO ? HB 557 mandates that you CONSENT in writing EACH TIME you are treated. That Hearing is set for Thursday FEBRUARY 29, 1996 in the Environmental Matters hearing room (Room 160) in The Lowe House Office Building in Annapolis Maryland. If you can't attend please call your representative at 1-800-492-7122. Other bills (HB 1018, HB 1030, HB 1031) related to this matter will be heard that day also. YOU CAN E-MAIL ME YOUR SENTIMENTS AND I WILL TAKE THEM WITH ME AND PRESENT THEM ON YOUR BEHALF WHEN I TESTIFY. e-mail informed@access.digex.net Do not give up your right to privacy. You must act to save it. It is about to be stripped from you if you don't speak up. Keep InforM.D. Health Care News and Legislative Services P. O. Box 709 Riderwood, Maryland 21139-0709 informed@access.digex.net ------------------------------ Date: Thu, 7 Mar 1996 09:11:41 -0500 From: Joseph125@aol.com Subject: New web page and risks to personal information [ From Risks-Forum Digest; Volume 17 : Issue 86 ] The web page of the week in the most recent Information Week is www.switchboard.com. It is a compilation of the telephone white pages from all across the nation. You can search on combinations of last name, first name, city and state to find long lost friends, relatives or just interesting names. (A quick search found a Santa Claus in FL and a Bunny Easter in WA.) This kind of information is not particularly new, of course. What is interesting is that Switchboard allows you to register by identifying your listing and sending your email address. They send back a password. Now you can login and add or modify information in your listing or even make your listing "unlisted". It is clearly a very easy thing to use throwaway email addresses to modify any number of listings. Switchboard admits as much in their policy statement (http://www2.switchboard.com/policy.htm) saying that their security is "designed to discourage" such impersonation. They will correct any falsification with appropriate documentation and take steps (this seems to mean blocking access from the offending email address) to prevent additional occurrences including, if applicable, legal action. (I fear there is very little substance behind that claim.) Despite Switchboard's benevolent claims, the possibilities make me nervous. I should note that when a listing has been modified by a user, it appears with an asterisk. Joseph Richardson (Joseph125@aol.com) [ I've already been in contact with the operators of this service and expressed my concerns to them (I received a polite reply back indicating that they are at least aware of these issues). The ability to modify entries, without (in my view) adequate verification procedures was indeed my first concern as well. To their credit, it's refreshing to see an organization providing such data that at least publicly acknowledges that these issues exist. As far as the data itself is concerned, it does indeed appear to be based on white pages info, though in some cases listings that appear in telco records as first initial/last name may be shown with the full first name; this is a matter of concern to some people. There appears to be considerable stale data in the database (which is to be expected), and anecdotal evidence suggests that city names in particular may have a particularly high error rate. For the many persons who have their listings without any address shown in the telco records, the database apparently inserts a city name "guess" (based on phone prefix?) which appears to often be way off the mark. As usual, I urge you to make your feelings about this service, both pro and con, known to the folks who are operating it. -- PRIVACY Forum MODERATOR ] ------------------------------ Date: Mon, 26 Feb 1996 14:50:33 -0500 From: Carl Minie Subject: Garage Door Openers Greetings: I have heard several "teasers" for local and/or national news programs lately which promise to tell me how a crook could get into my house "with the touch of a button". I never watch TV long enough to hear the actual program, but I assume they are referring to machines which cycle through the limited number of infrared frequencies and/or patterns used by garage door openers until they hit the one that opens your garage door. I have read of such devices in "The Whole Spy Catalog" and other unusual sources. My questions, for anyone informed about garage door openers or burglary techniques or both, would be: 1) Is this a growing problem, or just another way to keep you watching more commercials until the news comes on? 2) How difficult are these devices to come by? Do I need a license, or just some letterhead and checks printed with "Barabbas Garage Door Openers And House Cleaners Inc."? 3) Is there any way to prevent one of these devices from working on my garage door, other than setting the "Lock" switch on the inside of the door which also prevents me from using my own remote? Thank you for your replies. [ Like most security-oriented devices, there is a range of protection offered by different equipment. It is certainly true that most garage door systems on the market until recently used either no codes (!) or simple/limited code systems that could indeed be easily cracked by the appropriate devices. There are newer systems now that use long word length, pseudorandom, key-changes-with-each-use codes, and these can be very secure. It's worth noting, however, that a person determined to gain entry to your garage is likely to use very low tech, but very effective, means to do so, that won't involve any electronics at all... -- MODERATOR ] ------------------------------ Date: Thu, 29 Feb 1996 18:21:56 -0800 (PST) From: Beth Givens Subject: A far-reaching privacy bill California state senator Steve Peace has introduced a bill, which if it passes, will give consumers a great deal of control over their personal information. The bill reads in part: "No person or corporation may use or distribute for profit any personal information concerning a person without that person's written consent. Such information includes, but is not limited to, an individual's credit history, finances, medical history, purchases, and travel patterns." Senator Peace himself admits that the language is very broad at this time, and that the bill will no doubt be altered radically before it comes up for a vote. Beth Givens Voice: 619-260-4160 Project Director Fax: 619-298-5681 Privacy Rights Clearinghouse Hotline (Calif. only): Center for Public Interest Law 800-773-7748 University of San Diego 619-298-3396 (elsewhere) 5998 Alcala Park e-mail: bgivens@acusd.edu San Diego, CA 92110 http://pwa.acusd.edu/~prc ------------------------------ Date: 6 Mar 1996 14:07:25 -0500 From: "David Sobel" Subject: EPIC on Crypto Bill Washington, DC March 6, 1996 Sen. Patrick Leahy (D-VT) and several other co-sponsors have introduced the Encrypted Communications Privacy Act of 1996 (S.1587). The proposed legislation comes in the midst of an ongoing debate concerning U.S. encryption policy and at a time when the need for secure electronic communications is becoming widely recognized. The explosive growth of the Internet underscores the need for policies that encourage the development and use of robust security technologies to protect sensitive personal and commercial information in the digital environment. The Electronic Privacy Information Center (EPIC) has long advocated adoption of a national encryption policy that emphasizes the protection of personal data and encourages the widespread dissemination of privacy- enhancing technologies. The text of the proposed legislation is available at: http://www.epic.org/crypto/legislation/s1587.html Analysis The proposed Encrypted Communications Privacy Act addresses a number of unresolved issues concerning the use of encryption technology. The proposed legislation would: - Relax export controls by transferring authority for export decisions to the Secretary of Commerce, and mandate the removal of controls on "generally available" encryption software; - Create a legal framework for key escrow agents, including an obligation to disclose keys and assist law enforcement, and establish penalties for improper disclosure; - Affirm the freedom to use and sell encryption within the United States; and - Criminalize the use of encryption which may have the effect of obstructing a felony investigation. Export Control -------------- The bill moves encryption policy in the right direction by placing export control authority in the Commerce Department, rather than the State Department and the National Security Agency (NSA) -- the agencies currently charged with that responsibility. However, the legislation would only remove export controls on encryption software to the extent that software with similar capabilities is "generally available," or in the "public domain or publicly available." Likewise, controls would be lifted on hardware with encryption capabilities only if "a product offering comparable security is commercially available from a foreign supplier." These limitations raise two concerns: 1) The Commerce Department historically has been dependent upon NSA for assessments of the worldwide availability of encryption technology. The Commerce Department recently released the results of a survey it conducted of foreign encryption products. Portions of the Department's report were classified by NSA and withheld from public disclosure (EPIC is currently seeking the release of the complete report in a lawsuit filed under the Freedom of Information Act; Electronic Privacy Information Center v. Department of Commerce, C.A. No. 95-2228 (D.D.C.)). By conditioning the relaxation of export controls on a finding that similar products are "generally available," the legislation will likely perpetuate NSA's ability to influence export determinations and to thwart public oversight of Commerce Department actions. 2) The "generally available" requirement will continue to hamper the development of innovative security technology by U.S. firms. Restricting exports to products comparable to those already "available from a foreign supplier" will ensure that foreign, and not domestic, firms will be on the leading edge of privacy-enhancing technology. This is necessarily a non-competitive trade policy that will continue to obstruct the development of strong encryption. EPIC supports the efforts of the bill's sponsors to liberalize export control, but EPIC believes the bill should go further. EPIC supports the complete repeal of these out-dated barriers to the development and dissemination of software and hardware with encryption capabilities. This is a necessary step to ensure the development of a secure Global Information Infrastructure that promotes on-line commerce and preserves individual privacy. Key Escrow Procedures --------------------- As currently drafted, the bill does little to roll back the deployment of Clipper-inspired key-escrow encryption within the federal government. Indeed, a significant portion of the legislation is devoted to establishing a legal framework for the management of key-escrow systems in the private sector. The bill would restrict certain activities by key holders and impose criminal and civil penalties for the unauthorized disclosure of keys. Key holders could only release keys (1) with the consent of the person whose key is held; (2) as may be "necessarily incident to the holding of the key;" and (3) to law enforcement or investigative officers pursuant to federal wiretap law or the Foreign Intelligence Surveillance Act. Under the current bill, keys could be disclosed to law enforcement officials without satisfying a warrant requirement. The legislation also establishes reporting requirements on the number of orders and extensions served on key holders to obtain access to decryption keys or decryption assistance consistent with current reporting requirements in the federal wiretap statute. However, there are no provisions for notifying the subject of an investigation when keys are disclosed, even for the purpose of alerting the subject that the security of keys may have been compromised. Statutory protection for the privacy of encryption keys appears to be a worthy goal. The bill's key-escrow procedures, however, must be considered in the context of the larger policy debate concerning encryption. Beginning with Clipper and continuing with the more recent "commercial key-escrow" proposal, law enforcement agencies and the national security community have lobbied aggressively for the implementation of key-escrow systems that would provide government the ability to decrypt secure data. Such proposals have also been supported by companies that have received substantial government contracts or promises of special deals on export licenses. Users and most businesses have remained firmly opposed to the key-escrow concept. Indeed, there is virtually no installed base for key-escrow encryption, while the number of users of non-escrowed encryption is in the millions. By placing a Congressional imprimatur on the key-escrow concept, the legislation will have the effect of supporting an escrow scheme that has already been rejected by users and businesses. A statutory scheme that creates a legal framework for key-escrow is contrary to the privacy interests of network users and the security needs required for network development. EPIC recommends that the key escrow provisions of the bill be dropped. Freedom to Use and Sell Encryption ---------------------------------- The proposed legislation appears to affirm an absolute right to use and sell encryption, but a close reading of the bill shows otherwise. The proposed legislation provides that it "shall be lawful for any person within ... the United States ... to use any encryption ..." and "to sell in interstate commerce any encryption ..." It then modifies that language with the words "except as provided in this Act and the amendments made in this Act or in any other law." As described below, the bill then sets out the first criminal penalties yet proposed for the domestic use of encryption. Other similar provisions could easily be added. Since there is currently no regulation of encryption in the United States, supporters of the bill must explain what will be accomplished by this effort to establish a government regulatory scheme for the use of encryption. EPIC believes that there is a fundamental constitutional right to use encryption and would support only an unconditional articulation of that right. The current statutory framework clearly opens the door to further regulation of privacy-enhancing technologies. "Unlawful Use of Encryption" ---------------------------- The proposed legislation contains the first explicit criminal penalties for the use of encryption within the United States. It would criminalize the use of encryption to "obstruct, impede, or prevent the communication of information in furtherance of a felony ... to an investigative or law enforcement officer." This provision is unlikely to add much to the existing legal arsenal available to law enforcement agencies or prosecutors. Use of encryption in furtherance of a crime could currently be prosecuted under existing conspiracy and obstruction of justice statutes. The effect of the proposed provision could be to discourage the deployment of encryption where it is appropriate and to raise unnecessary suspicion about the use of routine security procedures. The net result could be an increased risk to public safety and network security. EPIC recommends that this provision be struck from the bill. As currently drafted, it is far too broad to serve any useful purpose. Conclusion ---------- The proposed Encrypted Communications Privacy Act provides an opportunity to revise outdated encryption policies that have undermined network security, jeopardized personal privacy and frustrated public accountability. Although the current draft of the bill does not go far enough in removing antiquated controls on the export of encryption technology, the proposal recognizes the need for sweeping changes to the export regime. Removal of export restrictions on encryption technology is a pressing need and Congress should address the issue expeditiously. Less desirable is the bill's promotion of key-escrow encryption. This is the Clipper-like scheme that should finally be laid to rest. Congressional action on key-escrow management is unnecessary and the issue certainly need not be addressed in conjunction with a relaxation of export controls. Legislation concerning key-escrow will have a detrimental effect on the development of secure network technologies and necessary privacy safeguards. EPIC will remain opposed to this provision. EPIC commends the sponsors of the proposed legislation for moving the public debate on the relaxation of export controls forward and recognizing the need for an overhaul of an out-dated policy. We are confident that further consideration of the unnecessary and potentially dangerous provisions contained in the current version will result in a legislative approach that best serves the needs of all concerned -- users, industry and government. ------------------------------ End of PRIVACY Forum Digest 05.06 ************************